Update on 4/17/19: You may notice a new app in Google Play – it’s called the Microsoft Intune app. This app is in preview for new functionality for fully managed devices. We are rolling out the end-to-end scenario with this app and we expect it to be live by the first part of the 4/22/2019 week. More on this expanding workflow will be posted shortly!

Today we are releasing a preview of Android corporate-owned fully managed (formerly called Corporate Owned, Business Only (COBO) by Google) device management scenarios in Intune. This is Intune’s newest addition to its list of Android Enterprise management capabilities preceded by work profiles and dedicated (kiosk) devices.

NOTE - the preview is rolling out today - 1/17/19 and is expected to finish up by end of day. If you're on Government Cloud please note this may take until 1/18/19 to see the preview feature.

Android fully managed is one of the “device owner” management scenarios in the Android enterprise solution set that enables productivity scenarios for users on corporate devices while allowing IT admins to manage the entire device with an extended set of policy controls. This complements the Android Enterprise dedicated device solution set we released last year, which was focused on task workers and user-less devices. The extended policy capabilities in fully managed scenarios are only intended for corporate devices, which is why there are more controls and settings available here than on personal devices with work profiles. Combining the capabilities of these three solution sets now provides you more control over your Android device landscape.

Android fully managed is one of the “device owner” management scenarios in the Android Enterprise solution set that enables productivity scenarios for users while allowing IT admins to manage the entire device and enforce an extended range of policy controls, beyond that which is possible with work profiles on personal devices. Fully managed devices are company-owned general-purpose Android devices that are associated with a single user. These devices are assigned to individuals for getting their work done.

What is available in preview?

In today’s release, our Android fully managed preview focuses on device enrollment, configurationand app distribution scenarios. Our goal for this preview is to demonstrate the Android fully managed capabilities that we have built and gather feedback and iterate before this feature becomes generally available in Intune.

This preview supports the following Android fully managed scenarios in Intune:

Device enrollment using NFC, token entry, QR code and Zero Touch

Device configuration for user groups

App distribution and configuration for user groups

There are a few scenarios not supported in this preview but will be completed for general availability, including:

Conditional access

Device compliance

App protection policies

Device group targeting

Certificate management

Knox Mobile Enrollment

Company Portal app for end-user scenarios

These scenarios may not function as expected on Android fully managed devices during this preview.

Device enrollment for Android fully managed devicesWe’ve started with enrollment since this is the first step the IT admin and user must take to bring the device under IT management. The IT admin enables enrollment for fully managed devices in the Intune tenant. This generates a single enrollment token and QR code to be used for enrolling fully managed Android devices to the tenant. This single token is valid for all your users and will not expire; note that this token is for Microsoft Intune and is not specific to your tenant. A user requires both the enrollment token and valid user credentials to authenticate and enroll a device to your organization. The enrollment token can be disabled by the IT admin to prevent enrollment of fully managed devices.

Android fully managed devices support a variety of enrollment methods such as NFC, token entry, QR code and Zero Touch. These enrollment methods can be initiated on a new or factory-reset device so that the device is enrolled, user affinity is established, and device configuration policies are applied when the device is being set up for the first time. Enrollment options for Android devices are in documentation here: https://docs.microsoft.com/intune/android-enroll.

You can see the enrollment workflow in the short clip posted below.

Device configuration for Android fully managed devices

Device settings that apply to device owner in Intune are supported on Android fully managed devices. This means that IT admins can configure more advanced device-level settings on a fully managed device than on a work profile such as allow app installation only from managed Google Play, block uninstallation of managed apps, prevent users from factory resetting devices, control system update behavior, and more.

Note that dedicated device or kiosk settings are not applicable to Android fully managed devices. This preview supports targeting of device configuration policies to user groups only. Deploying device configuration policies to device groups may not function as expected during this preview.

App distribution and configuration for Android fully managed devices

Like existing Android enterprise scenarios (work profile and dedicated devices) in Intune, apps are distributed to Android fully managed devices using managed Google Play. In addition, you can use app configuration policies to supply settings to managed apps. You can configure email or VPN app settings in this manner as well.

Note that this preview supports deploying apps to user groups only. Deploying apps to device groups may not function as expected during this preview.

What are we still working on?

We are continuing to build Android fully managed support for the following key Intune features that will be announced when Android fully managed becomes generally available:

Conditional Access and compliance policies

App Protection Policies

Knox Mobile Enrollment

Certificate management

Device group targeting for profiles and apps

Dedicated user interface for configuring email, Wi-Fi or VPN

A new end-user app.

Known issues

You may need to tap on “Please click here to continue…” to complete device enrollment: during enrolling a fully managed device, you may see this page. Tap on “Please click here to continue…” to complete device enrollment.

Customer support for this preview

Note that the preview features are implemented to Microsoft Intune production standards. However, not all Intune features are available to be used with Android fully managed user devices during the preview as outlined above. The preview features are fully supported through our usual Intune support channels and are clearly labeled with “(preview)” in the Intune console.

How to reach us?

As you review the Android fully managed preview scenarios, we would love to hear your feedback on IT admin's enrollment profile configuration and end-user's device enrollment experiences.

Keep us posted on your Android plans through comments on this blog post, through Twitter (#IntuneSuppTeam), and on UserVoice.

Holy mother.. everyone gets excited with COBO being announced. This was announced couple of month ago, now still preview for god knows how many month/years. Thank you but NO thank you. Kick it up a notch MS - other major vendors like Airwatch or MobileIron have much more to offer when working with Android enterprise. COPE anyone?

Phone number doesn't appear to be collected... IMEI, Manufacturer and Model are, but no Phone number... it would be useful to have that.

Associated user also seems to randomly be filled in; sometimes it is, and other times not, for the same device.

Biggest one for me however is the lack of password policies... they seem very spartan (no number of last passwords remembered, no encrypt options), and what is available (in my option) is useless because users aren't prompted to create a PIN... so a corporate device is left with no PIN if a user doesn't manually create one (and you can bet they don't unless forced), and because there's no compliance checks it doesn't matter if the policies that are in place fail or not....

Considering this Preview is focussed on business owned mobiles, strong password policies that users are forced to adhere to would seem a key thing to tackle early on...

I am also missing some of the basic apps like camera. I tried it on a Huawei and Samsung but same result. It seems a lot of basic native apps are hidden or not installed.

What I would really like to see is that the Android Fully Managed experience is similar to that of Apple. Giving the users a phone with an interface and apps that they are used to and allow things like public app store and all native apps.

I also understand this is a preview but frankly this is has to limited functionalities to conduct some proper testing.

Hey @Jeroen Dijkman, I've tried on a Samsung J6 via Knox Mobile Enrollment, which I'm pleased to say worked ok even though Knox is listed as an unsupported scenario. I found that in KME I needed to ensure the profile had "Leave all system apps enabled" ticked, which gave me the camera app back. With it unticked there were only a very few basic apps available (i.e. no camera app). Don't know if that might help in your scenario or not!

@Steve Prentice, thanks for your suggestion. We are not using the Knox Mobile Enrollment and have no plans to do so. So I hope we can get the setting "Leave all system apps enabled" from somewhere else.

Thanks for trying out the scenarios and providing detailed feedback. Regarding the issue where policy restrictions appear to be stuck in a "pending state" we are still investigating. I'll provide updates on this issue as possible.

We are also looking into the other areas of feedback provided around capabilities that are not available today.

Enrollment works really well, but the lack of PIN/Password enforcement is a problem. The configuration applies but shows errors if no PIN is already set. The device setup wizard does not require the user to set a PIN/Password, nor do they get notified to set one afterwards once the configuration policy has applied. If this is not possible then the apps and related app policies should not be deployed to the device until it meets the compliance requirements. As it stands, the Outlook app and mail profile get deployed to the device so the user has full access to corporate email resources without having any basic security on the device at all. Maybe this is something that can be controlled by conditional access once it's supported with device owner.

@NGreen99Well summarised, that's what I was trying to say but less eloquently. :) Yes, it's a big problem for us, you'd never deploy any other corporate owned device with no password policies enforced, so I'm kind of surprised this was missed from the preview as it's a core feature in my opinion, even for a preview.

I'm interested in how you're pushing mail profile for Outlook, I'm having no luck... I'm using Client Apps, App configuration policies with an enrolled device enrolment type, but it just stays in a Pending state and never deployed.... which I put down to the Preview.

@Steve PrenticeYes, using Client Apps > App Configuration Policies with a "managed devices" device enrolment type. Used the configuration designer to set a basic authentication profile, and this was also working fine for Android work profiles.

Two things to note:

1) The device owner preview does not support targeting policies at devices, just users. Check your policy assignments are using a user based group or "all users", not a device based group otherwise the policy won't apply. Same applies to the apps themselves, assign these to a user based target otherwise the apps won't deploy to the device.

2) Even though the policy applies OK, the user is not listed at all on the "user install status" tab of the app configuration policy. The device shows under "device install status" but with a username of "none" and device status of "pending". Clearly some reporting issues here.

Hey @NGreen99, Thanks for coming back to me. :) It ended up being a bit of a mix of 1 and 2, so cheers for the reminders.... I had deployed Outlook to users, but was deploying the config policy to devices, once that's changed to All Users it started to work ok.... but as you said with 2, it reports that it's not worked which I was relying on too much to tell me the truth. :) My only problem now is that it wants the device to Register with AAD, so it appears to not notice that it's already Enrolled and takes me through a registration and MFA process (like personal devices would get with MAM-WE for us)... not a massive problem, but would be nicer if it didn't do that.

We don't get that problem @Steve Prentice. We enrolled the device (Android 8.1) using QR code and logged in via ADFS during the initial enrollment, but don't get prompted for any further enrollment afterwards.

Maybe worth checking all the settings in your device or app configuration policies? Did you perhaps choose Modern Authentication in your outlook app configuration? I think this authenticates directly to O365 with MFA. We use basic authentication to authenticate to on-prem Exchange using ActiveSync.

To clarify my earlier post, IF the user does manually set a PIN/password, they are required to meet the minimum requirements of the device configuration policy, and once set the errors no longer show against the device configuration policy status. So the policy is applying correctly, it's just an issue with forcing the user to add the initial PIN/password before allowing access to corporate resources.

Yep @NGreen99 that's it exactly. :) Modern to 365 via ADFS... I suspect it's hitting an Azure AD Conditional Access rule that doesn't see that the device is enrolled... which I guess is expected as Conditional Access isn't part of the Preview yet I think.

And yep, same noted with the password / PIN... to a degree.... one device enforces 8 digit as set, other one ignores, but I think that's due to KME on one and not the other, so guess that'll change once it's supported.

Hi @PriyaR455 … Trying to contact you directly, but I get "You have reached the limit for number of private messages that you can send for now. Please try again later.", even if I try on different days without sending any other private messages... no idea what's going on there, so apologies for not replying to you.

In short, password policies pending are no longer a problem, it's that they fail because there's no user prompt to set a PIN.

I note that my Samsung device it wasn't picking up the password policies, but now it is, so some work has obviously happened there.

Good luck with the rest of the Preview and thanks for keeping an eye on this thread.

Very much looking forward to increased password policy abilities, system apps and conditional access.

Apart from the What's New pages, is there anywhere to track what changes/additions have happened in the Preview?

@PriyaR455 and others- Should we add individual devices or users as members to the group that we are targeting for the Device Owner restriction policy and Managed Play Store apps. The reason I'm asking is we have users with multiple devices and we want only the Corporate Owned Fully Managed enrolled device to receive this policy and apps and not their non-AE enrolled device. I didn't see anything specific in the documentation above so that is why I'm asking. I wasn't sure if I just added the user to the group targeted, if Intune would have the logic to only apply that policy to the Fully Managed enrolled device. I believe I have had trouble in the past assigning a Security group to a specific device if I remember correctly. Thanks in advance.

@Jeroen DijkmanI've managed to get an Android Zero Touch portal account and added my test Sony device. Formerly it didn't get system apps like camera, but using "DPC Extras" in the portal with a string of “"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true” I have now reset and reenrolled the device and now have system apps like Camera available. So, maybe talking with a telco to get a Zero Touch account might help you. It is a shame that via QR code enrolment you can't seem to do it.

@Steve PrenticeThanks for the suggestion about the Android Zero Touch portal. I will certainly give that a try. For your information I have received information from MS that they are working on this issue with Google.

For anyone reading along who needs system apps (@Jeroen Dijkman) enabled, it *is* possible, you just have to tinker a little bit.

As mentioned above, you can already do it with Zero Touch (by adding the "PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED" command as mentioned above in DPC Extras) and Knox Mobile Enrollment (by ticking the "Leave all system apps enabled" box).

1) Go to "Corporate-owned, fully managed user devices (Preview)", save the QR code as a picture2) Decode the QR code in an online decoder (Google/Bing has many)3) Take the produced text, add in the PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED command4) Reencode the text to a new QR

Just to be clear the full command you want to add is:

"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true

Worked fine for me!

It's been mentioned that MS are "working" on this with Google... but after reading the Android documentation this is a setting that needs to be enabled before Intune is managing the phone... i.e. at the QR code point... I can only assume MS will alter the Intune portal to have a checkbox to enable system apps that would then regenerate the QR code to have the right commands embedded in it... it's quite a small tweak, so I'm surprised this hasn't already been done, or information on how to manually do it passed on.

@Steve Prentice, thanks for the QR code tip. I managed to customize our QR code and it worked fine, all system apps enabled. I do think their was a small typo. The command I used was: "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true

We are having similar issues with fully managed devices. Policies are stuck in a pending state when applied to the user. Compliance policies are also never evaluated... Additionally, Intune doesn't show that a compliance policy is applied and therefore deems the device non compliant due to the default policy. We are using the new Intune app with no success on either of these. I have opened a ticket in hopes to gain some progress.

I tried to enroll after re-encoding the QR code but failed during the enrollment with the message "Cant Setup Device - Reset". Would you mind to share the full code ? We run through hell due to this and the support team couldn't do anything so far. appreciate it !!